Skip to main content

Django EUVDEUVD-2026-34086

| CVE-2026-6873 LOW
Improper Verification of Cryptographic Signature (CWE-347)
2026-06-03 6a34fbeb-21d4-45e7-8e0a-62b95bc12c92 GHSA-h7pc-vwp9-298g
2.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 03, 2026 - 16:01 EUVD
Analysis Generated
Jun 03, 2026 - 14:32 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 12 pypi packages depend on django (12 direct, 0 indirect)

Ecosystem-wide dependent count for version 5.2.

DescriptionCVE.org

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. django.http.HttpRequest.get_signed_cookie in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct (name, salt) pairs that produce the same concatenation. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Peng Zhou for reporting this issue.

AnalysisAI

Cookie context confusion in Django's signed cookie implementation allows a remote low-privileged attacker to substitute a cookie signed in one application context into a different context where a distinct (name, salt) pair produces the same concatenated string. Affected are Django 6.0 before 6.0.6 and Django 5.2 before 5.2.15; older unsupported series (5.0.x, 4.1.x, 3.2.x) were not evaluated but may also be affected. The real-world impact is limited to low-confidence data exposure (VC:L), with no public exploit identified at time of analysis, and the CVSS 4.0 score of 2.3 reflects a low-severity, contextually constrained flaw.

Technical ContextAI

The vulnerability resides in django.http.HttpRequest.get_signed_cookie, part of Django's cryptographic cookie-signing subsystem (CPE: cpe:2.3:a:djangoproject:django:*). Django signs cookies using HMAC with a salt to bind a signed value to a specific purpose or context. The bug is that salt derivation is performed by naively concatenating the cookie name and the caller-supplied salt string - a non-injective function. Because concatenation of two strings is not uniquely reversible (e.g., name='ab', salt='cdef' produces the same string as name='abc', salt='def'), two completely distinct (name, salt) pairs can produce an identical HMAC key input. The root cause is classified as CWE-347 (Improper Verification of Cryptographic Signature): the signature itself may be cryptographically valid, but it is accepted in an unintended context because the domain-separation mechanism is broken. This is conceptually similar to JWT algorithm confusion or salt-reuse attacks in token systems, which explains the 'Jwt Attack' tag applied by the reporter.

RemediationAI

Upgrade to Django 6.0.6 or Django 5.2.15, which contain the vendor-released patch addressing the non-injective salt derivation. The fix is expected to introduce a separator or structurally distinct encoding between the cookie name and salt to ensure injectivity. Upgrade guidance and release notes are available at https://www.djangoproject.com/weblog/2026/jun/03/security-releases/ and security announcements at https://groups.google.com/g/django-announce. For deployments that cannot immediately upgrade, a targeted workaround is to audit all usages of get_signed_cookie in the application codebase and ensure no two (name, salt) pairs share the same concatenated string - for example, by enforcing a fixed-length cookie name prefix or using a delimiter character (such as ':') in the salt argument that cannot appear in cookie names. Note that this manual audit approach is error-prone and does not address the underlying library flaw; upgrading remains the only reliable remediation. Unsupported Django series (5.0.x and older) should be migrated to a supported branch as a priority.

CVE-2013-3900 MEDIUM
5.5 Dec 11

Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update

CVE-2026-48558 CRITICAL POC
9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2025-25291 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2025-25292 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2022-25898 CRITICAL POC
9.8 Jul 01

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT

CVE-2024-42004 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti

CVE-2024-41145 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27

CVE-2024-41138 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-35929 CRITICAL POC
9.8 Aug 04

cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2022-31053 CRITICAL POC
9.8 Jun 13

Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)

Share

EUVD-2026-34086 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy